External risk intelligence

Plesk XML-RPC API Authorization Flaw Exposes FTP Credentials

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-56843

WebPros Plesk is a web hosting control panel commonly deployed as an internet-facing management interface for servers and websites. Because it is designed to be accessed by customers over the internet to manage their hosting environments, the XML-RPC API is frequently exposed to the public network as part of the standard management surface.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts WebPros Plesk's XML-RPC API, allowing unauthorized access to other customers' sensitive information, including FTP credentials, and potentially enabling code execution. The main concern is confirming relevance and exposure.

  • Low-privilege users can access other account data.
  • Affects common web hosting management software.
  • Confirm if our hosted environments are impacted.

Attack Path

How an attacker could exploit the issue

An attacker with low-level customer access can exploit a flaw in the XML-RPC API to view domain information they shouldn't have access to. This bypasses security checks, allowing the attacker to potentially steal other users' FTP credentials. These exposed credentials could then be used to execute code on the system as another customer.

  • Requires authenticated customer access.
  • Triggers via specific XML-RPC API lookups.
  • Results in cross-tenant data exposure.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged authenticated customer could exploit an authorization flaw in the XML-RPC API to view domains they don't own. This may lead to the disclosure of other tenants' cleartext FTP credentials when legacy protocol versions are used, potentially allowing for code execution as another tenant's system user.

  • Risk of tenant FTP credential exposure.
  • Unauthorized domain lookup and data access.
  • Potential for cross-tenant system user compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

WebPros Plesk platform owners and infrastructure teams are likely responsible for addressing this vulnerability. The immediate first step is to identify all Plesk instances, confirm their exposure and business criticality, and then assign ownership for remediation.

  • Assign platform or infrastructure ownership.
  • Verify Plesk instance exposure and criticality.
  • Plan coordinated remediation or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is WebPros Plesk?

Plesk is a widely used web hosting control panel that provides a graphical interface and automation tools for managing websites, databases, and server configurations. It acts as a central hub for administrators and customers to handle their hosting environments, often managing multiple isolated user accounts on a single server.

How does CVE-2026-56843 cause data exposure?

This vulnerability involves an authorization failure, specifically categorized as CWE-522. Because the API improperly enforces ownership checks for certain requests and bypasses validation for legacy protocol versions, a low-privileged user can view data belonging to other tenants, leading to the unauthorized disclosure of cleartext FTP credentials.

Do I need to worry if I am not a Plesk customer?

This flaw specifically requires a valid, low-privileged customer account to initiate the exploit. It cannot be triggered by an unauthenticated visitor or a random internet user who does not already have legitimate access to the Plesk platform.

Is my Plesk instance at risk?

According to Halo Surface Signal, Plesk is frequently deployed as an internet-facing management interface. Because the XML-RPC API is often accessible over the public network to facilitate remote management, any instance reachable via the internet should be considered at higher risk.

When should I take action for this vulnerability?

You should prioritize identifying all your running Plesk instances immediately. Confirm which versions are in use and determine if they are internet-facing. Once your inventory is complete, coordinate with your infrastructure team to apply the necessary updates to secure your management interfaces and protect tenant credentials.

References